F-Secure's chief research officer Mikko Hypponen sent Fairfax this picture of his web camera.

The question asked was whether the experts concealed their webcam when it was not in use.

Advertisement

Although many web cameras offer a telltale LED light which indicates whether it is active, Fairfax found many security experts didn't trust that it would operate correctly if a hacker compromised their machine. After all, hackers have found ways to disable some webcam lights.

Matt Tett, managing director of Enex TestLab, which is hired by governments and businesses to test their IT systems, told Fairfax he used a Post-it note to secure his web camera.

“It's just a logical thing that paranoid people do, right?” Mr Tett said.

“I've seen a few people do it,” he added.

Information security analyst and Risky.biz podcaster Patrick Gray also admitted to covering up his laptop's camera. When he smoked, he used the glued part of a cigarette paper to protect it.

“If I need my camera I'd rip it off [and] then just stick a new one over the top when I'm done, although I'll probably have to think of something else now I've quit smoking,” Mr Gray said.

Mikko Hypponen, chief research officer at anti-virus firm F-Secure, uses a Band-Aid. In an email response explaining why, he said: “I'm paid to [be] paranoid. So what do you expect?”

Mr Hypponen also noted that the man behind spying software FinFisher and FinSpy, which is sold to governments, was recently snapped with tape over his MacBook's web camera. Another prominent security expert, also publicly outed for using tape over his MacBook camera, was public-key cryptography expert Whitfield Diffie, at the AusCERT security conference in 2010.

Australian security researcher Troy Hunt doesn't cover his web camera. Instead he prefers to turn it away from him when it's not in use. “I am partially paranoid about it,” he said.

“I would hope that the light would come on and save me, but at the end of the day that's [usually] a software decision and we all know what can happen with software,” Mr Hunt added.

Mr Hunt was referring to how it is sometimes better, at least when it comes to something like an LED indicator on a web camera, to make the LED hard-wired so that no matter what is done on the software side of things the LED cannot be turned off even when the camera is active.

Carlo Minassian, CEO of IT security firm Earthwave, said all web cameras and microphones at his company were “disconnected” after use each and every time, as per company policy. If web cameras or microphones were inbuilt, they were disconnected by uninstalling their drivers.

“When testing our customer's networks this is a common threat vector we are able to exploit regularly,” Mr Minassian said. “Furthermore, the building management system including the building security cameras are generally easy to tap into directly or via the admin's PC.”

Asked if others should do the same as the security experts and conceal their camera when it is not in use, Mr Minassian said: “Doing something is better than doing nothing knowing well the potential ramifications.”

David Campbell, director of operations at the federal government's national computer emergency response team, CERT Australia, declined to comment in his personal capacity as an IT security expert via the Attorney-General's Department.

Chris Gatford, of security firm HackLabs, was one of the few that declared they didn't cover their web camera, but said he understood why many people did. “I'm not quite that paranoid,” he said.

“So unfortunately putting sticky tape over [a web camera] is not a control to prevent access [to a computer] in the first place, which is something you'd be most concerned about [protecting].”

Mr Gatford's point is that when a hacker compromises a user using the method outlined in Tuesday's article, they often have full control over a PC, which is likely to have stored data on it that will be much more useful than a live web camera feed to a hacker, depending on their intent.

He said he practised “safe computing practices” – as opposed to covering his web camera – as one of his measures to prevent being compromised, which meant clicking only on trusted links.

For those wanting to implement the tape method, Mr Gatford advised that users should only cover the lens of the web camera and not any LED which could indicate a hacker's presence.

“If your web camera is on you kind of want to know whether or not [the hackers] are getting a picture. [Because if they're in your web camera], presumably they're getting sound,” he said.

The head of the Queensland police fraud squad, Brian Hay, said he didn't conceal his laptop web camera, but labelled the sticky tape security solution as “good safety advice”.

“It's about protecting your privacy,” Mr Hay said. “We all know that computers are not 100 per cent secure devices and this is just another vulnerability that needs to be taken care of. Remove the cover [on your web camera] when you need to use it, cover it when you don't need it.”

One business trying to take advantage of the paranoia offers $US4.99 "iPatches" for devices that have inbuilt cameras which conceals the lens neatly using a slider when it is not in use.

The security experts' comments come after a number of stories about webcam spying have surfaced. Fairfax reported last year that Melbourne-based Rentasaur leased laptops with software on them that tracked a user's location and had the capability to capture imagery.

98 comments

Please list the vulnerable operating systems that these people who have been "hacked" use.

Please also let the world know that not everyone uses Windows.

Commenter

DC

Location

Melbourne

Date and time

April 03, 2013, 8:56AM

1) Every operating system is vulnerable, 2) The world already knows that, and if you don't use Windows I don't know why you would want to alert any hackers to that fact (although they'd probably be very incompetent hackers if they were only aware of Windows)

Commenter

Jon

Location

reality

Date and time

April 03, 2013, 9:46AM

These kinds of hacks are not isolated to PC/Windows. The image of the IT Pro at the top show's his "Mac Book Pro" with a paper slip covering the webcam.

Hacking MAC's is going to become far more lucrative in the future as well seeing the rate at which dimwitted people are rushing out to buy over priced Apple products.

Commenter

mactard

Location

Melb

Date and time

April 03, 2013, 9:51AM

It is not an operating system issue, it is a hardware issue. Macs for example are hardwired so the light has to be on when the camera is on. Unless someone has the motivation and opportunity to physically tamper with that, which is possible.

You can run any operating system, Windows, Linux, OSX on the Mac and it would be safe with that caveat, alternatively if you go to the trouble of installing the Mac OS on some other "Windows" laptop it would not be safe, unless the webcam light was designed the same way as on the Mac.

Commenter

mark

Location

melbourne

Date and time

April 03, 2013, 9:59AM

To clarify what Mark says, all that having the light hardwired means is that it will come on when you're spied upon via your Mac webcam. It does not mean that your computer is safe from being remotely accessed, or that you will know when your Mac (but not your webcam) is remotely accessed, and it definitely does not mean they will be unable to remotely use your webcam. It only means that you might notice that your light has come on when (if) they spy on you via the webcam, whereas you cannot be assured of that with other manufacturers who do not hardwire the light.

Commenter

Jon

Location

reality

Date and time

April 03, 2013, 10:57AM

This is how it works, the infiltrator buys a program online allowing them to create a remote access file to place in victims PC, THE ONLINE COMPANY really hacks your computer and you login to their site to get live-access plus all saved unattended access, live will see webcams, it takes a screenshot as often as you like whilst the infiltrator is not at their comp, it captures everything screens and key logs, can reboot PC, cease mouse, add/remove files etc. No wonder Govt declined to respond as they do NOTHING about hacking and spamming etc. As for the above, the online company is really the infiltrator of your PC and you just login to access what it is hacking. I am an advanced PC person.

Commenter

brian

Location

glenroy

Date and time

April 03, 2013, 11:28AM

Just to answer readers questions, YES IT WORKS ON MAC and all operating systems, Google sniperspy for more information it is scary. I tested this legally with remote persons consent and its scary what it can do. Your best course of action is your anti virus to have good settings, but they work on ways of fooling these programs but most anti virus programs stop it via detection of its implanted file. Your googling will see which operating systems can detect it.

Commenter

brian

Location

glenroy

Date and time

April 03, 2013, 11:34AM

My mac got hacked. The light would come on for the webcam when I wasn't using it. It was weird because I got call after call from people telling me about how my area was under attack from hackers. They wouldn't give up on it. Then when they did give up the mac died.I clicked yes, but now I have external clip on speakers which give much better sound but which cover the webcam anyway.I just worry, all these tech experts have this problem it would seem. Where is the hope for ordinary Joe?

Commenter

Matheus

Date and time

April 03, 2013, 1:19PM

I cant believe how blind you people are. I had written how it occurs and none of you googled SNIPERSPY. As for frank, it is the biggest form of real hacking of all time. No its not done by links. Yes MACS are invaded this way fully. total full access to your PC even if infiltrator is not online. Start GOOGLING before you post further rubbish folks I'm an advanced professional.READ MY POSTS HERE ALSO.

Commenter

Brian

Location

glenroy

Date and time

April 03, 2013, 2:04PM

I voted 'no' because, according to the article and elsewhere on the interwebs, my Mac web-cam light is safe from tampering. And if it's not, then hackers can go nuts on watching me sit at my computer typing. At least I'll know at least one person on this earth is more bored than I am.